دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
برای ارتباط با ما می توانید از طریق شماره موبایل زیر از طریق تماس و پیامک با ما در ارتباط باشید
در صورت عدم پاسخ گویی از طریق پیامک با پشتیبان در ارتباط باشید
برای کاربرانی که ثبت نام کرده اند
درصورت عدم همخوانی توضیحات با کتاب
از ساعت 7 صبح تا 10 شب
دسته بندی: امنیت ویرایش: 3rd نویسندگان: Robert Winch Mick Knutson Peter Mularien سری: ناشر: Packt سال نشر: 2017 تعداد صفحات: 530 زبان: English فرمت فایل : PDF (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود) حجم فایل: 12 مگابایت
در صورت تبدیل فایل کتاب Spring Security به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب امنیت بهار نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
Cover ......Page 1
Copyright......Page 3
Credits......Page 4
About the Authors......Page 5
About the Reviewers......Page 7
www.Packtpub.com......Page 8
Customer Feedback......Page 9
Table of Contents......Page 10
Preface......Page 23
Chapter 1: Anatomy of an Unsafe Application ......Page 30
About the sample application......Page 31
The JBCP calendar application architecture......Page 33
Reviewing the audit results......Page 35
Authentication......Page 37
Authorization......Page 40
Transport-level protection......Page 43
Why Spring Security?......Page 44
Summary......Page 45
Chapter 2: Getting Started with Spring Security ......Page 46
Updating your dependencies......Page 47
Using Spring 4.3 and Spring Security 4.2......Page 48
Implementing a Spring Security XML configuration file......Page 49
The ContextLoaderListener class......Page 51
ContextLoaderListener versus DispatcherServlet......Page 52
The springSecurityFilterChain filter......Page 53
The FilterChainProxy class......Page 54
Running a secured application......Page 55
A little bit of polish......Page 56
Customizing login......Page 57
Configuring logout......Page 61
The page isn't redirecting properly......Page 62
Basic role-based authorization......Page 63
Expression-based authorization......Page 67
Conditionally displaying authentication information......Page 68
Customizing behavior after login......Page 70
Summary......Page 73
Chapter 3: Custom Authentication ......Page 74
The Event object......Page 75
The UserContext interface......Page 76
The SpringSecurityUserContext interface......Page 77
Managing users in Spring Security......Page 80
Logging in a new user to an application......Page 82
Creating a custom UserDetailsService object......Page 84
The CalendarUserDetailsService class......Page 85
Configuring UserDetailsService......Page 86
Removing references to UserDetailsManager......Page 87
The CalendarUserDetails object......Page 88
The SpringSecurityUserContext simplifications......Page 89
Displaying custom user attributes......Page 90
CalendarUserAuthenticationProvider......Page 91
Configuring the CalendarUserAuthenticationProvider object......Page 93
The DomainUsernamePasswordAuthenticationToken class......Page 94
Updating CalendarUserAuthenticationProvider......Page 95
Adding domain to the login page......Page 96
The DomainUsernamePasswordAuthenticationFilter class......Page 97
Updating our configuration......Page 98
Which authentication method to use?......Page 101
Summary......Page 102
Chapter 4: JDBC-Based Authentication ......Page 103
Using the H2 database......Page 104
Configuring the H2 embedded database......Page 105
The default user schema of Spring Security......Page 106
Defining user authorities......Page 107
The UserDetailsManager interface......Page 108
Group-based access control......Page 109
Configuring JdbcUserDetailsManager to use groups......Page 111
The group-based schema......Page 112
Group authority mappings......Page 113
Determining the correct JDBC SQL queries......Page 114
Updating the SQL scripts that are loaded......Page 115
Inserting custom authorities......Page 116
Configuring JdbcUserDetailsManager to use custom SQL queries......Page 117
Configuring secure passwords......Page 118
The PasswordEncoder method......Page 120
Configuring password encoding......Page 121
Making Spring Security aware of the PasswordEncoder method......Page 122
Hashing the stored passwords......Page 123
Hashing the passwords of new users......Page 124
Not quite secure......Page 125
Using salt in Spring Security......Page 127
Migrating existing passwords......Page 128
Trying out the salted passwords......Page 129
Summary......Page 131
Chapter 5: Authentication with Spring Data ......Page 132
Updating our dependencies......Page 134
Updating the JBCP calendar to use Spring Data JPA......Page 135
Initializing the database......Page 136
Mapping domain objects using JPA......Page 139
Spring Data repositories......Page 141
Data access objects......Page 142
Application services......Page 147
The UserDetailsService object......Page 148
Document database implementation with MongoDB......Page 149
Reconfiguring the database configuration in MongoDB......Page 150
Initializing the MongoDB database......Page 151
Mapping domain objects with MongoDB......Page 153
Data access objects in MongoDB......Page 156
Summary......Page 157
Chapter 6: LDAP Directory Services ......Page 158
LDAP......Page 159
Common LDAP attribute names......Page 160
Updating our dependencies......Page 162
Configuring an LDAP server reference......Page 163
Enabling the LDAP AuthenticationProviderNext interface......Page 164
Troubleshooting embedded LDAP......Page 165
Understanding how Spring LDAP authentication works......Page 166
Authenticating user credentials......Page 167
Binding anonymously to LDAP......Page 168
Searching for the user......Page 169
Binding as a user to LDAP......Page 170
Determining user role membership......Page 171
Determining roles with Apache Directory Studio......Page 172
Mapping additional attributes of UserDetails......Page 173
Password comparison versus bind authentication......Page 175
Configuring basic password comparison......Page 177
LDAP password encoding and storage......Page 178
The drawbacks of a password comparison authenticator......Page 179
Implicit configuration of UserDetailsContextMapper......Page 180
Viewing additional user details......Page 181
Using an alternate password attribute......Page 184
Configuring LdapUserDetailsService......Page 185
Updating AccountController to use LdapUserDetailsService......Page 186
Integrating Spring Security with an external LDAP server......Page 187
Configuring an external LDAP server reference......Page 189
Configuring the LdapAuthenticationProvider interface......Page 190
Delegating role discovery to UserDetailsService......Page 192
Integrating with Microsoft Active Directory via LDAP......Page 194
Built-in AD support in Spring Security 4.2......Page 196
Summary......Page 198
What is remember-me?......Page 199
Dependencies......Page 200
Configuring the token-based remember-me feature......Page 201
MD5......Page 203
Remember-me signature......Page 204
Token-based remember-me configuration directives......Page 206
Is remember-me secure?......Page 207
Authorization rules for remember-me......Page 208
Persistent remember-me......Page 209
Initializing the data source with the remember-me schema......Page 210
Configuring the persistent-based remember-me feature......Page 211
How does the persistent-based remember-me feature work?......Page 212
JPA-based PersistentTokenRepository......Page 213
Custom RememberMeServices......Page 216
Cleaning up the expired remember-me sessions......Page 217
The remember-me architecture......Page 219
Remember-me and the user life cycle......Page 221
Restricting the remember-me feature to an IP address......Page 222
Custom cookie and HTTP parameter names......Page 225
Summary......Page 226
Chapter 8: Client Certificate Authentication with TLS ......Page 227
How does client certificate authentication work?......Page 228
Setting up the client certificate authentication infrastructure......Page 229
Creating a client certificate key pair......Page 230
Configuring the Tomcat trust store......Page 231
Configuring Tomcat in Spring Boot......Page 234
Using Chrome......Page 235
Wrapping up testing......Page 236
Troubleshooting client certificate authentication......Page 238
Configuring client certificate authentication using the security namespace......Page 239
How does Spring Security use certificate information?......Page 240
How Spring Security certificate authentication works......Page 241
Handling unauthenticated requests with AuthenticationEntryPoint......Page 244
Supporting dual-mode authentication......Page 245
Configuring client certificate authentication using Spring beans......Page 247
Additional capabilities of bean-based configuration......Page 248
Considerations when implementing client certificate authentication......Page 250
Summary......Page 251
Chapter 9: Opening up to OAuth 2 ......Page 252
The promising world of OAuth 2......Page 253
Enabling OAuth authentication with Spring Security......Page 255
Additional required dependencies......Page 256
Local UserConnectionRepository......Page 258
Creating local database entries for provider details ......Page 259
The custom UserConnectionRepository interface......Page 260
Executing the OAuth 2 provider connection workflow......Page 261
Adding OAuth 2 users......Page 262
OAuth 2 controller sign-in flow......Page 263
Automatic user authentication......Page 264
Additional OAuth 2 providers......Page 268
The OAuth 2 user registration problem......Page 271
Registering non-standard OAuth 2 providers......Page 272
Is OAuth 2 secure?......Page 275
Summary......Page 276
Chapter 10: Single Sign-On with the Central Authentication Service ......Page 278
Introducing the Central Authentication Service......Page 279
High-level CAS authentication flow......Page 280
Spring Security and CAS......Page 282
Installing and configuring CAS......Page 283
Configuring basic CAS integration......Page 284
Creating the CAS ServiceProperties object......Page 286
Adding the CasAuthenticationEntryPoint object......Page 287
Enabling CAS ticket verification......Page 289
Proving authenticity with the CasAuthenticationProvider object......Page 291
Single logout......Page 294
Configuring single logout......Page 295
Clustered environments......Page 298
Proxy ticket authentication for stateless services......Page 299
Configuring proxy ticket authentication......Page 300
Using proxy tickets......Page 302
Authenticating proxy tickets......Page 303
CAS WAR overlay......Page 306
How does the CAS internal authentication work?......Page 307
Configuring CAS to connect to our embedded LDAP server......Page 308
Getting the UserDetails object from a CAS assertion......Page 311
Mapping LDAP attributes to CAS attributes......Page 312
Acquiring a UserDetails from CAS......Page 314
Alternative ticket authentication using SAML 1.1......Page 315
How is attribute retrieval useful?......Page 316
Additional CAS capabilities......Page 317
Summary......Page 318
Chapter 11: Fine-Grained Access Control ......Page 319
Integrating Spring Expression Language (SpEL)......Page 320
Using the hasIpAddress method......Page 322
Page-level authorization......Page 324
Conditional rendering based on URL access rules......Page 325
Using controller logic to conditionally render content......Page 327
The WebInvocationPrivilegeEvaluator class......Page 329
What is the best way to configure in-page authorization?......Page 330
Method-level security......Page 331
Securing the business tier......Page 332
Validating method security......Page 334
Interface-based proxies......Page 335
JSR-250 compliant standardized rules......Page 336
Method security using Spring's @Secured annotation......Page 338
Method security rules incorporating method parameters......Page 339
Securing method data using role-based filtering......Page 341
Prefiltering collections with @PreFilter......Page 343
Practical considerations for annotation-based security......Page 344
Summary......Page 345
Chapter 12: Access Control Lists ......Page 346
The conceptual module of ACL......Page 347
Access control lists in Spring Security......Page 348
Basic configuration of Spring Security ACL support......Page 350
Defining a simple target scenario......Page 351
Adding ACL tables to the H2 database......Page 352
Configuring SecurityExpressionHandler......Page 354
The JdbcMutableAclService object......Page 356
The BasicLookupStrategy class......Page 357
EhCacheBasedAclCache......Page 358
The AclAuthorizationStrategyImpl interface......Page 360
Creating a simple ACL entry......Page 361
How permissions work......Page 364
The custom ACL permission declaration......Page 368
Enabling ACL permission evaluation......Page 370
Mutable ACLs and authorization......Page 373
Adding ACLs to newly created events......Page 374
ACL scalability and performance modeling......Page 376
Do not discount custom development costs......Page 378
Should I use Spring Security ACL?......Page 380
Summary......Page 381
Authorizing the requests......Page 382
Configuring a UnanimousBased access decision manager......Page 386
Expression-based request authorization......Page 388
Configuring the RequestConfigMappingService......Page 389
Custom SecurityMetadataSource implementation......Page 393
Registering a custom SecurityMetadataSource......Page 394
Removing our antMatchers() method......Page 395
Configuring a custom SecurityExpressionRoot......Page 396
Configuring a custom SecurityExpressionHandler......Page 397
Configuring and using CustomWebSecurityExpressionHandler......Page 398
Alternative to a CustomWebSecurityExpressionHandler......Page 399
How does method security work?......Page 400
CalendarPermissionEvaluator......Page 403
Configuring CalendarPermissionEvaluator......Page 405
Benefits of a custom PermissionEvaluator......Page 406
Summary......Page 407
Configuring session fixation protection......Page 408
Understanding session fixation attacks......Page 409
Preventing session fixation attacks with Spring Security......Page 410
Simulating a session fixation attack......Page 412
Restricting the number of concurrent sessions per user......Page 415
Understanding concurrent session control......Page 416
Testing concurrent session control......Page 418
Configuring expired session redirect......Page 419
Common problems with concurrency control......Page 420
Preventing authentication instead of forcing logout......Page 421
Other benefits of concurrent session control......Page 422
Displaying active sessions for a user......Page 423
How Spring Security uses the HttpSession method?......Page 425
The HttpSessionSecurityContextRepository interface......Page 426
Debugging with Spring Security's DebugFilter......Page 427
Summary......Page 429
Chapter 15: Additional Spring Security Features ......Page 430
Cross-Site Scripting ......Page 431
Cross-Site Request Forgery......Page 432
Synchronizer tokens......Page 433
Synchronizer token support in Spring Security......Page 434
CSRF protection and JSON......Page 435
Using Spring Security CSRF protection......Page 436
Default CSRF support......Page 437
Including the CSRF token using the Spring Security JSP tag library......Page 438
Ajax and JSON requests......Page 439
jQuery usage......Page 440
Timeouts......Page 441
Logging out......Page 443
Default security headers......Page 444
Cache-Control......Page 445
Content-Type Options......Page 447
HTTP Strict Transport Security ......Page 448
X-Frame-Options......Page 449
Static headers......Page 450
The HeadersWriter instance......Page 451
Summary......Page 452
Chapter 16: Migration to Spring Security 4.2 ......Page 453
Sample migration......Page 454
Spring Security Configuration improvements:......Page 455
Changes to configuration in Spring Security 4......Page 456
UserDetailsServiceWrapper......Page 457
AuthenticationException......Page 459
AuthenticationDetailsSourceImpl......Page 460
RememberMeAuthenticationProvider......Page 461
FilterChainProxy......Page 462
ExceptionTranslationFilter......Page 463
AnonymousAuthenticationFilter......Page 464
PreAuthenticatedGrantedAuthoritiesUserDetailsService......Page 465
PersistentTokenBasedRememberMeServices......Page 466
ConcurrentSessionControlStrategy......Page 467
SessionFixationProtectionStrategy......Page 468
RequestCacheAwareFilter......Page 469
RequestMatcher......Page 470
WebSecurityExpressionHandler......Page 471
Migrating default filter URLs......Page 472
Summary......Page 473
Chapter 17: Microservice Security with OAuth 2 and JSON Web Tokens ......Page 474
Monoliths......Page 475
Microservices......Page 477
Service-oriented architectures......Page 478
The OAuth 2 specification......Page 479
Access token......Page 480
Implicit......Page 481
JSON Web Tokens ......Page 482
Header......Page 483
Signature......Page 484
Resource server......Page 485
Authorization server......Page 486
OAuth 2 client configuration properties......Page 487
JWT access token converter......Page 488
Server requests......Page 489
Token requests......Page 490
Microservices client......Page 493
Configuring the OAuth 2 client......Page 495
Summary......Page 496
Gradle Build Tool......Page 497
Gradle IDE plugins......Page 498
IntelliJ IDEA......Page 499
Creating a new workspace......Page 503
A sample code structure......Page 504
Importing the samples......Page 505
Starting the samples within IDEA......Page 510
Starting the samples within STS......Page 512
Generating a server certificate......Page 513
Configuring Tomcat connector to use SSL......Page 514
Basic Tomcat SSL termination guide......Page 515
Supplementary materials......Page 516
Index......Page 518